b" FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n\n  Fiscal Year 2005 Evaluation of the Social\nSecurity Administration's Compliance with the\nFederal Information Security Management Act\n\n\n\n\n                  A-14-05-15060\n\n\n\n September 2005   Patrick P. O\xe2\x80\x99Carroll, Jr. \xe2\x80\x93 Inspector General\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n      Conduct and supervise independent and objective audits and\n      investigations relating to agency programs and operations.\n      Promote economy, effectiveness, and efficiency within the agency.\n      Prevent and detect fraud, waste, and abuse in agency programs and\n      operations.\n      Review and make recommendations regarding existing and proposed\n      legislation and regulations relating to agency programs and operations.\n      Keep the agency head and the Congress fully and currently informed of\n      problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n      Independence to determine what reviews to perform.\n      Access to all information necessary for the reviews.\n      Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 16, 2005                                                         Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Fiscal Year 2005 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n        Federal Information Security Management Act (A-14-05-15060)\n\n\n        OBJECTIVE\n\n        Our objective was to determine if the Social Security Administration\xe2\x80\x99s (SSA) overall\n        security program and practices complied with the requirements of the Federal\n        Information Security Management Act of 2002 (FISMA).1\n\n        BACKGROUND\n\n        FISMA provides the framework for securing the Federal Government\xe2\x80\x99s information\n        technology including both unclassified and national security systems. All agencies must\n        implement the requirements of FISMA and report annually to the Office of Management\n        and Budget (OMB) and Congress on the effectiveness of their security programs.\n\n        OMB uses the information to help evaluate agency-specific and government-wide\n        security performance, develop its annual security report to Congress, assist in\n        improving and maintaining adequate agency security performance, and inform\n        development of the eGovernment (eGov) Scorecard under the President\xe2\x80\x99s Management\n        Agenda (PMA).\n\n        OMB developed a traffic light scorecard to show the progress agencies have made:\n        green for success, yellow for mixed results, and red for unsatisfactory. SSA\xe2\x80\x99s current\n        status is yellow and its score for progress in implementing eGov services is green.\n        Many of the elements of the eGov initiative overlap or duplicate the requirements of\n        FISMA. In our results of review, we highlight when the FISMA issue also impacts\n        whether the Agency can meet the eGov security requirements. See Appendix C for\n        more background.\n\n\n\n\n        1\n            Public Law 107-347, Title III, section 301.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s Office of the Inspector General (OIG) to perform an\nannual, independent evaluation of the agency\xe2\x80\x99s information security program and\npractices.2 SSA\xe2\x80\x99s OIG contracted with PricewaterhouseCoopers, LLP (PwC) to audit\nSSA\xe2\x80\x99s Fiscal Year (FY) 2005 financial statements.3 Because of the extensive internal\ncontrol system work that is completed as part of that audit, our FISMA review\nrequirements were incorporated into the PwC financial statement audit contract. This\nevaluation included reviews of SSA\xe2\x80\x99s mission critical sensitive systems as described in\nthe Government Accountability Office\xe2\x80\x99s Federal Information System Controls Audit\nManual. PwC performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using FISMA,\nOMB and the National Institute of Standards and Technology (NIST) guidance, and\nother relevant security laws and regulations as a framework to complete the required\nOIG review of SSA\xe2\x80\x99s information security program and its sensitive systems.4 See\nAppendix D for more details on our Scope and Methodology.\n\nSUMMARY OF RESULTS\nDuring our FY 2005 FISMA evaluation, we determined that SSA has generally met the\nrequirements of FISMA. SSA continues to work towards maintaining a secure\nenvironment for its information and systems and has made improvements over the past\nyear to further strengthen its compliance with FISMA. Among the elements of its secure\nenvironment are sound remediation, certification and accreditation, and inventory\nprocesses. To fully meet the requirements of FISMA and enhance information\nmanagement in this area, SSA should:\n\xe2\x80\xa2   Fully comply with the Agency\xe2\x80\x99s risk models and configuration guides;\n\xe2\x80\xa2   Ensure that the Continuity of Operations Plan (COOP) is updated and tested\n    appropriately;\n\xe2\x80\xa2   Improve monitoring of contractor security awareness training; and\n\xe2\x80\xa2   Formalize the policy and procedures for maintaining the systems inventory.\n\nSSA\xe2\x80\x99S REMEDIATION, CERTIFICATION AND ACCREDITATION, AND INVENTORY\nPROCESSES ARE PERFORMING ADEQUATELY\n\nDuring FY 2004, SSA implemented a software tool, Automated Security Self-Evaluation\nand Remediation Tracking (ASSERT), to monitor and report system security\nweaknesses. ASSERT also tracks the remediation process for those weaknesses.\nSSA continues to effectively monitor its remediation process through the use of the\n\n2\n  Public Law 107-347, Title III, section 301, 44 U.S.C. \xc2\xa73545 (b)(1).\n3\n  OIG Contract Number GS-23F-0165N, dated March 16, 2001. FY 2005 option was exercised on\nNovember 29, 2004.\n4\n  OMB Memorandum M-05-15, FY 2005 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, June 13, 2005 and NIST Special Publication 800-26,\nSecurity Self-Assessment Guide for Information Technology Systems, November 2001.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\nASSERT software tool in accordance with FISMA and OMB FISMA guidance.5\nCurrently, ASSERT properly tracks over 50 security weaknesses. None of the\nweaknesses tracked in ASSERT were reported to OMB in SSA\xe2\x80\x99s second and third\nquarter reports during FY 2005. Although the Agency has a Financial Statement\nreportable condition6 to improve its protection of information, the Agency chose to only\nreport weaknesses for January through June 2005 to OMB based on the OMB FISMA\nguidance definition of significant deficiency.7 OIG works with the Office of the Chief\nInformation Officer to ensure that the ASSERT database is complete and corrective\nactions are undertaken to remediate the security weaknesses.\n\nSSA, in FY 2004, completed an inventory of all systems and subsystems consisting of\n20 major systems as well as over 300 subsystems. SSA updated the systems inventory\nin FY 2005 and based on our review, it appears to be complete. As of September 2005,\nSSA did not have a policy to update its systems inventory. Such a policy is needed to\neffectively update and maintain the systems inventory. The Agency is in the process of\ndeveloping this policy.\n\nSSA prepared Certifications and Accreditations (C&A) for each of the 20 major systems\nin accordance with NIST Special Publication 800-37. We reviewed the 20 C&As for the\nmajor systems. During the course of our audit, we did note several outdated items in\none of the C&As. These items were brought to the Agency\xe2\x80\x99s attention and immediately\ncorrected. Nothing came to our attention that led us to believe that there were any\nsignificant omissions from the C&A process. As a result, over 90 percent of the\nAgency\xe2\x80\x99s major systems and subsystems were covered by the C&As. See Appendix E\nfor the complete list of major systems that were certified and accredited in FY 2005.\n\nThe successful implementation of these security measures has helped SSA maintain a\nsound security program that complies with FISMA.\n\nSYSTEMS NEED TO FULLY COMPLY WITH SECURITY CONFIGURATIONS\n\nOMB FISMA guidance and the PMA management scorecard requires agencies to\ndevelop configuration standards for their Information Technology (IT) systems and have\nthe systems installed and maintained in accordance with these security configuration\nstandards.8 SSA developed risk models for all operating systems used in its networks.\n\n\n5\n  Public Law 107-347, Title III, section 301, 44 U.S.C. \xc2\xa73544 (b)(6) and OMB Memorandum M-05-15,\nFY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement, June 13, 2005.\n6\n  SSA\xe2\x80\x99s FY 2004 Performance and Accountability Report, page 212.\n7\n  OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security\nManagement Act, (page 8) states that a significant deficiency under FISMA is comparable to a material\nweakness under the Federal Managers Financial Integrity Act.\n8\n  OMB Memorandum M-05-15, FY 2005 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, June 13, 2005, pages 15-17 and 23-25 and PMA\nscorecard standards at http://www.whitehouse.gov/results/agenda/standards.pdf as of August 18, 2005,\npage 4.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\nIn addition, SSA is developing a single configuration guide for all other system\ncomponents and a separate appendix for various components such as Oracle.\n\nIt was observed that the Office of the Actuary had a small number of Linux servers that\nwere connected to the SSA network for most of FY 2005. SSA does not have any risk\nmodels for the Linux operating system. SSA has decided to take the Linux servers off\nthe system since they do not have any risk models for Linux. The plan is to have Linux\nservers removed from the SSA network and out of operation by September 30, 2005.\nThey will be replaced with servers for which SSA has risk models.\n\nTo determine compliance with the Agency\xe2\x80\x99s risk models, we tested a number of servers\nfor the Unix and Windows 2000 operating systems. The results of our testing disclosed\ninstances of noncompliance with the risk models or configuration guide. Computers that\nare not in compliance with the Agency risk models are more vulnerable to security\nthreats imposed by hackers, computer viruses, worms, and denial of service attacks.\nBy ensuring that Agency computers are in compliance with their risk models, SSA can\nbetter secure the valuable information that has been entrusted to its care.\n\nSSA CONTINUITY OF OPERATIONS TESTING\n\nFISMA codifies a longstanding policy requirement that each agency\xe2\x80\x99s security program\nand security plan include the provision for a COOP for information systems that support\nthe operations and assets of the agency.9 Additionally, the eGov initiatives require\nagencies to consolidate and optimize all infrastructures for their COOPs.10 SSA did\nparticipate in the Governmentwide COOP exercise in June 2005. This desk top review\nincluded a test of all the major information systems and met the OMB requirement for\nan annual contingency test.\n\nSSA continues to address its COOP and Disaster Recovery Exercise (DRE) issues for\nthe entire Agency. SSA needs to make certain that both COOP and DRE are updated\nannually to ensure the Agency can adequately function in the event of an emergency or\ndisaster. Specifically, the Agency should add new applications, such as Internet and\nIntranet and other important systems to the COOP and DRE. For the past several\nyears, SSA performed an annual week-long DRE in May or June. During the exercises,\nthe major systems were tested to see if they would perform in the event of a disaster.\nThe Agency\xe2\x80\x99s last DRE was in June 2004. This year, the Agency postponed its DRE\nuntil January or February 2006 because it felt, and we concurred, that it would be better\nto expand the test into a 2-week exercise. The Agency\xe2\x80\x99s DRE contractor was unable to\naccommodate SSA until 2006.\n\nFurthermore, the COOP did not address information and information systems provided\nor managed by other agencies, contractors or other sources. For example, SSA relies\nheavily upon other Federal and State Government agencies such as State Disability\nDetermination Services and the Department of Treasury. In the event of a disaster,\n\n9\n    Public Law 107-347, Title III, section 301, 44 U.S.C \xc2\xa7 3544(b)(8)).\n10\n     http://www.whitehouse.gov/results/agenda/standards.pdf as of August 18, 2005, page 4.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\n\nSSA is uncertain as to the availability of these agencies. SSA should ensure that its\nCOOP is updated and tested appropriately.11\n\nSSA NEEDS TO BETTER MONITOR CONTRACTOR SECURITY AWARENESS AND\nTRAINING\n\nSSA provides security awareness training to all employees and information security\ntraining to employees with specialized security responsibilities. SSA modified its\nsystems to more accurately track the IT security training provided to each employee.\nAccording to OMB\xe2\x80\x99s guidance, agencies are required to ensure that contractors with\nsignificant security responsibility have security awareness and specialized training.12\nThe Agency has numerous contractors who perform major IT security tasks such as\nmonitoring firewalls. Some of these contractors have received security awareness\ntraining and specialized security training, but SSA does not fully monitor or review the\nsecurity awareness or specialized training of all contractors. All contractors who have\naccess to SSA systems should have an annual security awareness training to ensure\nthat they are knowledgeable of the importance of protecting SSA\xe2\x80\x99s sensitive information.\nContractors who perform technical IT security functions should receive specialized\ntraining on a regular basis. SSA should consider monitoring its contractors better to\nensure that they have adequate security awareness and specialized systems training.\n\nCONCLUSION AND RECOMMENDATIONS\n\nDuring our FY 2005 FISMA evaluation, we determined that SSA generally met the\nrequirements of FISMA. SSA worked cooperatively with the OIG to identify ways to\ncomply with FISMA. SSA developed and implemented a wide range of security policies,\nplans, and practices to safeguard its systems, operations, and assets. To fully comply\nand ensure future compliance with FISMA and other information security related laws\nand regulations, we recommend SSA:\n1. Ensure all computers and servers comply with Agency\xe2\x80\x99s risk models and\n   configuration guides;\n2. Ensure that the COOP is updated and tested appropriately;\n3. Improve monitoring of contractor security awareness training; and\n4. Formalize policy and procedures for maintaining the systems inventory.\n\n\n\n                                                    S\n                                                    Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n11\n   Federal Emergency Management Agency Federal Preparedness Circular 65, Federal Executive Branch\nContinuity of Operations (COOP), June 15, 2004, pages 1, 4, 8, 9 and I-1.\n12\n   OMB Memorandum M-05-15, FY 2005 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, June 13, 2005, page 15.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General\xe2\x80\x99s Completion of OMB Questions\n             concerning Social Security Administration\xe2\x80\x99s Compliance with the\n             Federal Information Security Management Act\n\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 Systems Certified and Accredited in Fiscal Year 2005\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                         Appendix A\n\nAcronyms\nASSERT     Automated Security Self-Evaluation and Remediation Tracking\nC&A        Certification and Accreditation\nCIO        Chief Information Officer\nCOOP       Continuity of Operations Plan\nDRE        Disaster Recovery Exercise\neGov       eGovernment\nFIPS       Federal Information Processing Standards\nFISMA      Federal Information Security Management Act\nFY         Fiscal Year\nIG         Inspector General\nIT         Information Technology\nNIST       National Institute of Standards and Technology\nOIG        Office of the Inspector General\nOMB        Office of Management and Budget\nPMA        President\xe2\x80\x99s Management Agenda\nPOA&M      Plan of Action and Milestones\nPwC        PricewaterhouseCoopers LLP\nSSA        Social Security Administration\nUS-CERT    United States Computer Emergency Readiness Team\n\x0c                                                                                  Appendix B\n\nOffice of the Inspector General\xe2\x80\x99s Completion of OMB\nQuestions Concerning Social Security\nAdministration\xe2\x80\x99s Compliance with the Federal\nInformation Security Management Act\n                                       Section C: Inspector General\n\n                              Agency Name: Social Security Administration\n                                                 Question 1\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including\ninformation systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not\ncategorized) and by bureau, identify the number of systems reviewed in this evaluation for each\nclassification below (a., b., and c.).\n\nTo meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n1) Continue to use NIST Special Publication 800-26, or,\n2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53.\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency\nor other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\nrequirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may\nbe sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                             a.                       b.                        c.\n                                       FY 05 Agency            FY 05 Contractor       FY 05 Total Number of\n                                         Systems                   Systems                   Systems\n                    FIPS 199\n                   Risk Impact      Total       Number         Total     Number        Total        Number\nBureau Name           Level        Number      Reviewed       Number    Reviewed      Number       Reviewed\n                   High                   0              0          0             0          0              0\nSocial Security\n                   Moderate               7              7          0             0          7              7\nAdministration\n                   Low                   13             13          0             0         13             13\n                   Not\n                   Categorized            0              0          0             0          0              0\n                   Sub-total             20             20          0             0         20             20\nAgency Totals      High                   0               0         0             0           0               0\n                   Moderate               7               7         0             0           7               7\n                   Low                   13             13          0             0         13             13\n                   Not\n                   Categorized            0               0         0             0           0               0\n                   Total                 20             20          0             0         20             20\n\n\n\n\n                                              B-1\n\x0c2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau,\nin the format provided below. From the representative subset of systems evaluated, identify the\nnumber of systems which have completed the following: have a current certification and accreditation,\na contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n                                             Question 2\n                                        a.                     b.                        c.\n                                    Number of        Number of systems         Number of systems for\n                                 systems certified    for which security      which contingency plans\n                                  and accredited     controls have been          have been tested in\n                                                    tested and evaluated       accordance with policy\n                                                        in the last year           and guidance\n\n\n                   FIPS 199\n                  Risk Impact     Total     Percent     Total    Percent of     Total       Percent of\nBureau Name          Level       Number     of Total   Number      Total       Number         Total\n                  High                  0      0.0%          0        0.0%              0          0.0%\nSocial Security   Moderate              7   100.0%           7      100.0%              7       100.0%\nAdministration\n                  Low                 13    100.0%          13      100.0%            13        100.0%\n                  Not\n                  Categorized           0      0.0%          0        0.0%              0          0.0%\n                  Sub-total           20    100.0%          20      100.0%            20        100.0%\nAgency Totals     High                  0      0.0%          0         0.0%             0          0.0%\n                  Moderate              7   100.0%           7      100.0%              7       100.0%\n                  Low                 13    100.0%          13      100.0%            13        100.0%\n                  Not\n                  Categorized           0      0.0%          0         0.0%             0          0.0%\n                  Total               20    100.0%          20      100.0%            20        100.0%\n\n\n\n\n                                             B-2\n\x0c                                                Question 3\n\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n          The agency performs oversight and evaluation to ensure information\n          systems used or operated by a contractor of the agency or other\n          organization on behalf of the agency meet the requirements of FISMA,\n          OMB policy and NIST guidelines, national security policy, and agency\n          policy. Self-reporting of NIST Special Publication 800-26 requirements\n          by a contractor or other organization is not sufficient, however, self-    Almost Always, for\n          reporting by another Federal agency may be sufficient.                     example,\n  3.a.\n                                                                                     approximately 96-\n          Response Categories:                                                       100% of the time\n               - Rarely, for example, approximately 0-50% of the time\n               - Sometimes, for example, approximately 51-70% of the time\n               - Frequently, for example, approximately 71-80% of the time\n               - Mostly, for example, approximately 81-95% of the time\n               - Almost Always, for example, approximately 96-100% of the time\n\n          The agency has developed an inventory of major information systems\n          (including major national security systems) operated by or under the\n          control of such agency, including an identification of the interfaces\n          between each such system and all other systems or networks, including\n          those not operated by or under the control of the agency.\n                                                                                     Approximately 96-\n  3.b.\n          Response Categories:                                                       100% complete\n               - Approximately 0-50% complete\n               - Approximately 51-70% complete\n               - Approximately 71-80% complete\n               - Approximately 81-95% complete\n               - Approximately 96-100% complete\n\n          The OIG generally agrees with the CIO on the number of agency owned\n  3.c.                                                                                         Yes\n          systems.\n\n\n          The OIG generally agrees with the CIO on the number of information\n  3.d.    systems used or operated by a contractor of the agency or other                      Yes\n          organization on behalf of the agency.\n\n\n  3.e.    The agency inventory is maintained and updated at least annually.                    Yes\n\n\n  3.f.    The agency has completed system e-authentication risk assessments.                   Yes\n\n\n\n\n                                               B-3\n\x0c                                                  Question 4\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed,\nimplemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the\ndegree to which the following statements reflect the status in your agency by choosing from the responses\nprovided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n                      The POA&M is an agency wide process,\n                      incorporating all known IT security\n                      weaknesses associated with information      - Almost Always, for example,\n          4.a.\n                      systems used or operated by the agency      approximately 96-100% of the time\n                      or by a contractor of the agency or other\n                      organization on behalf of the agency.\n\n                      When an IT security weakness is\n                      identified, program officials (including\n                                                                  - Almost Always, for example,\n          4.b.        CIOs, if they own or operate a system)\n                                                                  approximately 96-100% of the time\n                      develop, implement, and manage\n                      POA&Ms for their system(s).\n\n                      Program officials, including contractors,\n                      report to the CIO on a regular basis (at    - Almost Always, for example,\n          4.c.\n                      least quarterly) on their remediation       approximately 96-100% of the time\n                      progress.\n\n                      CIO centrally tracks, maintains, and\n                                                                  - Almost Always, for example,\n          4.d.        reviews POA&M activities on at least a\n                                                                  approximately 96-100% of the time\n                      quarterly basis.\n\n                      OIG findings are incorporated into the      - Almost Always, for example,\n          4.e.\n                      POA&M process.                              approximately 96-100% of the time\n                      POA&M process prioritizes IT security\n                      weaknesses to help ensure significant IT\n                                                                  - Almost Always, for example,\n          4.f.        security weaknesses are addressed in a\n                                                                  approximately 96-100% of the time\n                      timely manner and receive appropriate\n                      resources\nComments:\n\n\n\n\n                                                 B-4\n\x0c                                                    Question 5\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a\nqualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing\npolicy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the\nSecurity Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and\naccreditation work initiated after May, 2004. This includes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards\nfor Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as\nwell as associated NIST documents used as guidance for completing risk assessments and security plans .\n\n\n\n               Assess the overall quality of the\n               Department's certification and\n               accreditation process.\n\n               Response Categories:\n                                                          - Excellent\n                    - Excellent\n                    - Good\n                    - Satisfactory\n                    - Poor\n                    - Failing\n\n\nComments:\n\n\n\n\n                                                   Question 6\n           Is there an agency wide security configuration policy?\n  6.a.     Yes or No.\n                                                                                              Yes\n\n           Comments:\n\n\n\n\n                                                   B-5\n\x0c          Configuration guides are available for the products listed below. Identify which software is\n          addressed in the agency wide security configuration policy. Indicate whether or not any\n 6.b.\n          agency systems run the software. In addition, approximate the extent of implementation\n          of the security configuration policy on the systems running the software.\n                                                       Approximate the extent of implementation of\n                                                       the security configuration policy on the\n                                                       systems running the software.\n\n                                                       Response choices include:\n                                                       - Rarely, or, on approximately 0-50% of the\n                                           Do any        systems running this software\n        Product                                        - Sometimes, or on approximately 51-70% of\n                        Addressed in      agency\n                                                         the systems running this software\n                        agencywide        systems\n                                                       - Frequently, or on approximately 71-80% of\n                          policy?         run this       the systems running this software\n                                         software?     - Mostly, or on approximately 81-95% of the\n                                                         systems running this software\n                          Yes, No,                     - Almost Always, or on approximately 96-\n                           or N/A.       Yes or No.    100% of the systems running this software\nWindows XP                                             Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nProfessional                                           the systems running this software\n                                                       Almost Always, or on approximately 96-100% of\nWindows NT                   Yes             Yes\n                                                       the systems running this software\nWindows 2000                                           Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nProfessional                                           the systems running this software\nWindows 2000                                           Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nServer                                                 the systems running this software\nWindows 2003                                           Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nServer                                                 the systems running this software\n                                                       Mostly, or on approximately 81-95% of the\nSolaris                      Yes             Yes\n                                                       systems running this software\n                                                       Mostly, or on approximately 81-95% of the\nHP-UX                        Yes             Yes\n                                                       systems running this software\n                                                       Rarely, or, on approximately 0-50% of the\nLinux                         No             Yes\n                                                       systems running this software\n                                                       Almost Always, or on approximately 96-100% of\nCisco Router IOS             Yes             Yes\n                                                       the systems running this software\n                                                       Almost Always, or on approximately 96-100% of\nOracle                       Yes             Yes\n                                                       the systems running this software\nOther: IBM AS/400                                      Almost Always, or on approximately 96-100% of\n                             Yes             Yes\n(AIX), IBM zOS                                         the systems running this software\nComments: SSA is in the upper level of this range for Solaris and HP-UX. The significant\nrisk items for these systems should be addressed by September 20, 2005 according to the\nAgency. Additionally, Linux is not the operating system for any of SSA's 20 Major\nApplications or General Support Systems, but Linux was deployed on a limited number of\npersonal computers connected to SSA's network for the past several years. Upon\ndiscovery of this system, SSA OCIO granted an exception waiver in August 2005 to allow\nthe use of this operating system on a temporary basis. It is anticipated the Linux operating\nsystem will be removed from these computers by September 30, 2005.\n\n                                            B-6\n\x0c                                                   Question 7\n\n    Indicate whether or not the following policies and procedures are in place at your agency. If\n    appropriate or necessary, include comments in the area provided below.\n\n             The agency follows documented policies and procedures\n     7.a.    for identifying and reporting incidents internally.                               Yes\n             Yes or No.\n\n             The agency follows documented policies and procedures\n     7.b.    for external reporting to law enforcement authorities.                            Yes\n             Yes or No.\n          The agency follows defined procedures for reporting to the\n          United States Computer Emergency Readiness Team\n     7.c.                                                                                      Yes\n          (US-CERT). http://www.us-cert.gov\n          Yes or No.\n    Comments:\n\n\n\n                                                   Question 8\n             Has the agency ensured security training and awareness of all\n             employees, including contractors and those employees with\n             significant IT security responsibilities?\n                                                                                           Mostly, or\n             Response Choices include:                                                     approximately 81-\n      8      - Rarely, or, approximately 0-50% of employees have sufficient training       95% of employees\n             - Sometimes, or approximately 51-70% of employees have sufficient training    have sufficient\n             - Frequently, or approximately 71-80% of employees have sufficient training   training1\n             - Mostly, or approximately 81-95% of employees have sufficient training\n             - Almost Always, or approximately 96-100% of employees have sufficient\n             training\n\n\n\n\n                                                   Question 9\n\n\n\n             Does the agency explain policies regarding peer-to-peer file\n             sharing in IT security awareness training, ethics training, or any\n      9                                                                                           Yes\n             other agency wide training?\n             Yes or No.\n\n\n\n1\n    SSA is in the upper level of this range.\n                                                  B-7\n\x0c                                                                                  Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act (FISMA) requires agencies to create\nprotective environments for their information systems. It does so by creating a\nframework for annual Information Technology (IT) security reviews, vulnerability\nreporting, and remediation planning.1 Since 1997, the Social Security Administration\n(SSA) has had an internal controls reportable condition concerning its protection of\ninformation.2 The resolution of this reportable condition remains a priority for the\nAgency. SSA is working with the Office of the Inspector General (OIG) and\nPricewaterhouseCoopers LLP (PwC) to develop an approach to resolve this reportable\ncondition and other issues that were observed during the past FISMA reviews.\n\nIn August 2001, the President\xe2\x80\x99s Management Agenda (PMA) was initiated to improve\nthe management and performance of Government. The PMA\xe2\x80\x99s guiding principles are\nthat Government services should be citizen-centered, results-oriented, and market\nbased. The Office of Management and Budget (OMB) developed a traffic light\nscorecard to show the progress agencies made: green for success, yellow for mixed\nresults, and red for unsatisfactory. One of the five governmentwide initiatives is to\nincrease the number of Government services available to the public electronically,\nthrough the Internet. This initiative is known as expanding Electronic Government or\neGov. SSA\xe2\x80\x99s current status is yellow and its score for progress in implementing eGov\nservices is green. FISMA requires agencies to take a risk-based, cost-effective\napproach to securing their information and systems, and assists Federal agencies in\nmeeting their responsibilities under the PMA. FISMA authorizes the National Institute of\nStandards and Technology to develop standards for Agency systems and security\nprograms.3 SSA has committed significant resources on getting to green on the eGov\ninitiative.\n\nAccording to the standards of the PMA, the following five security actions must occur for\nan Agency to reach and maintain green on its Expanding e-Gov Scorecard:\n\n    \xe2\x80\xa2   Submit quarterly status reports to remediate IT security weaknesses;\n    \xe2\x80\xa2   Have the OIG verify the effectiveness of the Department-wide IT Security\n        Remediation Process;\n    \xe2\x80\xa2   Have 100 percent of all IT systems properly secured (certified and accredited);\n    \xe2\x80\xa2   Install IT systems in accordance with security configurations; and\n    \xe2\x80\xa2   Consolidate and optimize all infrastructures for the Continuity of Operations\n        Plan.4\n\n1\n  Public Law 107-347, Title III, section 301, 44 U.S.C \xc2\xa73544.\n2\n  SSA\xe2\x80\x99s FY 2004 Performance and Accountability Report, page 212.\n3\n  Public Law 107-347, Title III, section 301, 44 U.S.C \xc2\xa73543 (a)(3).\n4\n  http://www.whitehouse.gov/results/agenda/standards.pdf as of August 18, 2005.\n\x0c                                                                         Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act (FISMA) directs each agency\xe2\x80\x99s\nOffice of the Inspector General (OIG) to perform an annual, independent evaluation of\nthe agency\xe2\x80\x99s information security program and practices, as well as a review of an\nappropriate subset of agency systems.1 The Social Security Administration (SSA) OIG\ncontracted with PricewaterhouseCoopers LLP (PwC) to audit SSA\xe2\x80\x99s Fiscal Year (FY)\n2005 financial statements. Because of the extensive internal control system work that is\ncompleted as part of that audit, our FISMA review requirements were incorporated into\nthe PwC financial statement audit contract. This evaluation included Federal\nInformation System Controls Audit Manual-level reviews of SSA\xe2\x80\x99s mission critical\nsensitive systems. PwC performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using\nFISMA, the Office of Management and Budget (OMB) Memorandum M-05-15, FY 2005\nReporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, National Institute of Standards and Technology guidance,\nand other relevant security laws and regulations as a framework to complete the OIG\nrequired review of SSA\xe2\x80\x99s information security program and practices and its sensitive\nsystems.\n\nAs part of our evaluation, we considered the security implication of the President\xe2\x80\x99s\nManagement Agenda, the Electronic Government initiative. Additionally, we reviewed\nSSA\xe2\x80\x99s FISMA Privacy Report, PwC\xe2\x80\x99s response to the OMB FISMA questions and the\nsupporting documentation\n\nThe results of our FISMA evaluation are based on the PwC FY 2005 FISMA Agreed-\nUpon Procedures report and working papers, various audits and evaluations performed\nby this office. We also reviewed the final draft of SSA's FY 2005 Security Program\nReview as required by the Federal Information Security Management Act .\n\nOur major focus was an evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M),\nrisk models and configuration settings, certifications and accreditations (C&A), and\nsystems inventory processes. Our evaluation of SSA\xe2\x80\x99s POA&Ms included an analysis\nof Automated Security Self-Evaluation and Remediation Tracking system and its\npolicies. Our review of the Agency\xe2\x80\x99s C&A process included an analysis of all twenty\nC&As for each major system. We also reviewed SSA\xe2\x80\x99s updated systems inventory and\nthe policy for the update processes.\n\nWe performed field work at SSA facilities nationwide from March through September\n2005. Our evaluation was performed in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n1\n    Public Law 107-347, Title III, section 301, 44 U.S.C \xc2\xa73545 (b)(1).\n\x0c                                                                      Appendix E\n\nSystems Certified and Accredited in FY 2005\n#                             System                                  Acronym\n                 General Support Systems\n1   Audit Trail System                                        ATS\n2   Comprehensive Integrity Review Process                    CIRP\n\n3   Death Alert Control & Update System                       DACUS\n\n4   Debt Management System                                    DMS\n\n5   Disability Case Adjudication and Review System            DICARS\n\n6   Disability Control File System                            DCFS\n\n7   Enterprise Wide Area Network and Services System          EWANSS\n8   FALCON Data Entry System                                  FALCON\n\n9   Human Resources Management Information System             HRMIS\n\n10 Integrated Client Database                                 ICDB\n\n11 Logiplex Security Access Systems                           LSAS\n\n12 Recovery of Overpayments, Accounting, & Reporting System   ROAR\n\n13 Social Security Online Accounting and Reporting System     SSOARS\n\n14 Social Security Unified Measurement Systems                SUMS\n\n                      Major Applications\n1   Electronic Disability System                              eDib\n2   Earnings Record Maintenance System                        ERMS\n3   Retirement, Survivors & Disability Insurance System \xe2\x80\x93     RSDI \xe2\x80\x93 Accounting\n    Accounting\n4   SSN Establishment & Correction System                     SSNECS\n5   Supplemental Security Income Records Maintenance System   SSIRMS\n\n6   Title II System\n\x0c                                                                      Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\nKitt Winter, Director, Data Analysis and Technology Audit Division (410) 965-9702\n\nPhil Rogofsky, Audit Manager (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\nGrace Chi, Auditor\n\nMary Ellen Fleischman, Senior Program Analyst\n\nHarold Hunter, Senior Auditor\n\nAnnette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-05-15060.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"